winnox Privacy Policy

1. Who We Are

This Privacy Policy applies to the winnox online casino and sportsbook platform, accessible at winnox.app ("Platform"), operated by the winnox entity licensed under an international gaming authority ("winnox", "we", "us", "our").

winnox is the data controller in respect of personal data collected from players and website visitors through the Platform. If you have any questions about how winnox handles your personal data, please contact us using the details at Section 14 of this Policy.

2. Personal Data We Collect

winnox collects personal data through a number of channels when you interact with the Platform. The categories of personal data we collect include:

2.1 Registration Data. When you create a winnox Account, we collect your full name, date of birth, email address, chosen username, and your registered Malaysian mobile number. This information is required to create and manage your Account.

2.2 Identity Verification (KYC) Data. To comply with our licence conditions and anti-money laundering obligations, we collect identity documents — typically a Malaysian MyKad or passport — along with selfie verification images and, where required, proof of address or source of funds documentation.

2.3 Financial Data. We collect details of your payment methods to process deposits and withdrawals. This includes your Touch n Go eWallet account reference, Boost account reference, FPX bank account details (bank name, masked account number), and transaction history on the Platform. winnox does not store full payment card numbers where card payments are used; card data is handled by our PCI-DSS compliant payment processor.

2.4 Gaming Activity Data. We maintain records of your gaming activity on the Platform, including game sessions, bets placed, game outcomes, bonus usage, and session duration. This data is used for account management, dispute resolution, responsible gaming monitoring, and regulatory compliance.

2.5 Device and Technical Data. When you access the Platform, we automatically collect your IP address, device type and identifier, browser type and version, operating system, and session timestamps. This data is used for security monitoring, fraud detection, and Platform performance optimisation.

2.6 Communications Data. We retain records of your communications with winnox support, including Live Chat transcripts and email correspondence. These records are maintained for quality assurance, dispute resolution, and regulatory compliance purposes.

2.7 Responsible Gaming Data. Where you voluntarily use winnox's responsible gaming tools (deposit limits, loss limits, self-exclusion), we record the settings you configure and the dates on which they were applied. This data is used solely to enforce the controls you have chosen and to protect your interests as a player.

3. How We Use Your Personal Data

winnox uses your personal data for the following purposes:

• Creating, managing, and securing your Account on the Platform;
• Verifying your identity and age (21+) in compliance with our licence conditions;
• Processing deposits and withdrawal requests via your chosen payment methods;
• Providing access to casino games, live dealer tables, the sportsbook, and all other Platform services;
• Administering bonuses, promotions, and loyalty rewards associated with your Account;
• Detecting and preventing fraud, money laundering, underage gambling, and other prohibited conduct;
• Complying with our obligations under our international gaming authority licence and applicable law, including anti-money laundering (AML) and counter-terrorism financing (CTF) requirements;
• Providing customer support and resolving disputes;
• Monitoring and enforcing responsible gaming controls you have configured on your Account;
• Sending you service communications relevant to your Account (e.g., security alerts, withdrawal confirmations, KYC requests);
• Sending promotional communications where you have consented to receive them — you may withdraw this consent at any time by contacting support;
• Analysing Platform usage patterns to improve performance, game selection, and user experience;
• Maintaining records as required by our regulatory and legal obligations.

4. Legal Bases for Processing

winnox processes your personal data under the following legal bases:

• Contractual necessity: Processing required to perform our contract with you — i.e., to operate your Account and provide the Platform services you have signed up for.
• Legal obligation: Processing required to comply with our regulatory and legal obligations, including KYC identity verification, AML/CTF monitoring, and licence condition compliance.
• Legitimate interests: Processing for fraud prevention, security monitoring, Platform improvement, and responsible gaming monitoring, where these interests do not override your fundamental rights.
• Consent: Processing for optional purposes, such as sending marketing communications. Where consent is the legal basis, you may withdraw it at any time without affecting the lawfulness of prior processing.

5. Sharing Your Personal Data

winnox does not sell, rent, or trade your personal data to third parties. We share data only in the following circumstances:

5.1 Service Providers. We share data with trusted third-party service providers who assist in the operation of the Platform, including payment processors, identity verification providers, game software suppliers, cloud hosting providers, and customer support platform providers. All service providers are bound by data processing agreements requiring them to protect your data and use it only for the specific purpose for which it was shared.

5.2 Regulatory Authorities. We may be required to disclose personal data to our licensing authority, financial intelligence units, law enforcement agencies, or other regulatory bodies where required by law or where we have a good-faith belief that disclosure is necessary to comply with a legal obligation or protect the rights of winnox or third parties.

5.3 Responsible Gaming Bodies. Where a Player is placed on a self-exclusion register administered by a gaming regulatory body, winnox may be required to share limited identification data with that registry to enforce exclusion across multiple operators.

5.4 Business Transfers. In the event of a merger, acquisition, or sale of all or part of winnox's business, your personal data may be transferred to the acquiring entity, subject to the same level of data protection as set out in this Policy. You will be notified of any such transfer.

6. KYC & Identity Verification Data

Identity documents submitted for KYC purposes (MyKad, passport, proof of address, selfie images) are treated with the highest level of confidentiality. This data is:

• Stored in encrypted, access-controlled systems separate from general Account data;
• Accessible only to trained KYC compliance personnel and, where required, our licensed identity verification service provider;
• Retained for the period required under our licence conditions and applicable AML legislation — typically a minimum of five years after Account closure;
• Never shared with any third party except as required by law or regulatory obligation.

If your KYC application is rejected, the documents you submitted will be deleted within 30 days of the rejection notification, unless retention is required by applicable law.

7. Cookies & Tracking Technologies

The winnox Platform uses cookies and similar tracking technologies to deliver and improve the Platform experience. The types of cookies we use include:

• Essential cookies: Required for the Platform to function — including session authentication, security tokens, and load balancing. These cannot be disabled without breaking core Platform functionality.
• Functional cookies: Store your preferences such as language settings, game lobby filters, and responsible gaming tool configurations.
• Analytical cookies: Collect anonymised data about how players use the Platform, which games are popular, and where technical errors occur. This data is used to improve the Platform. It does not identify you personally.
• Security cookies: Used for fraud detection and to identify unusual access patterns that may indicate unauthorised access to your Account.

winnox does not use third-party advertising cookies or cross-site tracking technologies. You may manage cookie preferences through your browser settings; however, disabling essential cookies will prevent you from logging in to the Platform.

8. Data Retention

winnox retains your personal data for the periods set out below, after which data is securely deleted or anonymised:

• Active Account data: Retained for the duration of your Account plus a minimum of five years after closure, as required by our licence and AML legislation.
• KYC and identity documents: Retained for a minimum of five years after Account closure in compliance with AML regulations.
• Financial transaction records: Retained for a minimum of five years after the date of each transaction.
• Gaming activity logs: Retained for a minimum of three years for dispute resolution and regulatory purposes.
• Support communications: Retained for two years after the date of the communication, unless the communication relates to an unresolved dispute.
• Marketing consent records: Retained until consent is withdrawn and for one year thereafter as evidence of the consent.

9. Your Data Rights

Subject to applicable law and our regulatory obligations, you have the following rights in respect of your personal data held by winnox:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete personal data.
• Right to erasure: Request deletion of your personal data, subject to our legal obligations — note that regulatory retention requirements may prevent full erasure in some cases.
• Right to restriction: Request that we restrict processing of your data in certain circumstances.
• Right to object: Object to processing based on our legitimate interests. We will cease such processing unless we can demonstrate compelling grounds that override your interests.
• Right to data portability: Request a machine-readable copy of personal data you provided to us, where technically feasible.
• Right to withdraw consent: Where processing is based on consent (e.g., marketing communications), withdraw that consent at any time without affecting prior processing.

To exercise any of these rights, please contact winnox via Live Chat or by email at: [email protected]. We will respond within 30 days of receiving your request. We may need to verify your identity before processing certain requests.

10. Data Security

winnox implements a range of technical and organisational security measures to protect your personal data from unauthorised access, disclosure, alteration, or destruction. These measures include:

• 256-bit TLS encryption on all data transmitted between your device and our servers;
• Encryption at rest for all databases containing personal and financial data;
• Role-based access controls ensuring staff can only access data necessary for their specific function;
• Multi-factor authentication required for all winnox staff accessing production systems;
• Regular penetration testing and vulnerability assessments by independent security firms;
• Real-time security monitoring and intrusion detection systems;
• Staff data protection training as a condition of employment and renewed annually.

While we take all reasonable steps to protect your data, no internet transmission is 100% secure. You are responsible for maintaining the security of your own Account credentials and for notifying us immediately if you suspect unauthorised access.

11. International Data Transfers

The operation of the winnox Platform may involve the transfer of your personal data to servers or service providers located outside Malaysia. Where such transfers occur, winnox ensures that appropriate safeguards are in place to protect your data at a level equivalent to the protections provided under applicable Malaysian personal data protection principles. These safeguards include contractual data processing agreements with all data processors incorporating standard data protection clauses.

12. Children's Privacy — 21+ Only

The winnox Platform is strictly intended for adults aged 21 and above. We do not knowingly collect personal data from individuals under 21 years of age. If we become aware that a player under 21 has registered an Account, we will immediately close the Account, return any deposited funds to the payment source, and delete all associated personal data. If you believe a person under 21 has opened a winnox Account, please contact us immediately via Live Chat or at [email protected].

13. Changes to This Privacy Policy

winnox reserves the right to update this Privacy Policy from time to time to reflect changes in our data practices, regulatory requirements, or operational needs. When we make material changes, we will notify you via a notification within the Platform or by email to your registered address at least 14 days before the changes take effect. The updated Policy will display a revised "Last Updated" date at the top of this page. Your continued use of the Platform after the effective date of an updated Policy constitutes acceptance of the revised terms.

14. Contact Us

If you have questions, concerns, or requests relating to this Privacy Policy or the way winnox handles your personal data, please contact our Data Protection team via:

• Live Chat: Available 24/7 from any page on the Platform — the fastest way to reach us.
• Email: [email protected] — for written data rights requests and formal privacy enquiries. Please mark your subject line "Privacy Request" for faster routing.

We aim to acknowledge all privacy-related enquiries within 48 hours and to provide a full response within 30 days.